SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: How SELinux label packet by default? This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] From: Stephen Smalley <sds_at_epoch.ncsc.mil> Date: Tue, 18 Jan 2005 10:25:55 -0500 On Tue, 2005-01-18 at 01:11, Park Lee wrote: > Hi, > In initial_sid_contexts, there seems no default > packet SID. Then, > (here, let's don't take IPsec protection into > account) > 1) When a packet is sending or receiving, Does > SELinux label the packet and then control the > sending/receiving packet according to the label? or > just ignore it? > 2) When an unlabeled packet is received from a node, > What default packet SID will SELinux set to the packet > ? > Is it still be as "When a message is sent on a > socket, it inherits the SID of the sending socket by > default. When the network component receives a message > from the network, the SID of the message is initially > set to a default message SID associated with the > receiving network interface." as is described in > subsection 8.1.1 of "Integrating Flexible Support for > Security Policies into the Linux Operating System" As I've explained previously, the security fields and hooks needed to label and control sk_buff's (i.e. messages) were not accepted into mainline Linux 2.6, so that code was dropped out of SELinux. SELinux network access control checks were redesigned by James Morris in 2.6. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Tue 18 Jan 2005 - 10:32:05 EST This message: [ Message body ] Next message: Albretch Mueller: "Re: Java and SELinux" Previous message: Stephen Smalley: "Re: Role transition error" In reply to: Park Lee: "How SELinux label packet by default?" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom